NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY
SI-4(24) — Indicators of Compromise
Discover, collect, and distribute to {{ insert: param, si-04.24_odp.02 }} , indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational systems at the host or network level. IOCs provide valuable information on systems that have been compromised. IOCs can include the creation of registry key values. IOCs for network traffic include Universal Resource Locator or protocol elements that indicate malicious code command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that systems and organizations are vulnerable to the same exploit or attack. Threat indicators, signatures, tactics, techniques, procedures, and other indicators of compromise may be available via government and non-government cooperatives, including the Forum of Incident Response and Security Teams, the United States Computer Emergency Readiness Team, the Defense Industrial Base Cybersecurity Information Sharing Program, and the CERT Coordination Center.
Practitioner Notes
Monitor for indicators of compromise (IOCs) — specific technical artifacts (file hashes, IP addresses, domain names) that indicate a known threat is present.
Example 1: Subscribe to threat intelligence feeds (CISA AIS, Anomali, Recorded Future) and integrate them with your SIEM. When a known malicious IP or domain appears in your logs, the SIEM automatically flags it as a potential compromise.
Example 2: Configure Microsoft Defender for Endpoint to use custom IOC lists. Upload file hashes, URLs, and IP addresses from threat intelligence reports. The agent checks all endpoint activity against these indicators and alerts or blocks as configured.